diff options
-rw-r--r-- | ca.conf | 3 | ||||
-rwxr-xr-x | sign-ca.in | 26 |
2 files changed, 19 insertions, 10 deletions
@@ -4,6 +4,9 @@ ca_name='eckner-ca' ca_subject_prefix='/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net' +# which system user owns the ca +ca_user='erich' + # where should the ca certificates be published? remote_host='user@example.com' remote_dir='httpdocs/certs' @@ -10,14 +10,19 @@ if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then . '#ETCDIR#/simple-pki/ca.conf' fi +if [ -n "${ca_user}" ] \ +&& [ "$(whoami)" != "${ca_user}" ]; then + exec su "${ca_user}" -c "$0" +fi + if [ -f "${key_dir}/${ca_name}.key.new" ] \ && [ -f "${key_dir}/${ca_name}.crt.new" ]; then if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \ || [ ! -f "${key_dir}/${ca_name}.key" ] \ || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \ || [ ! -f "${key_dir}/${ca_name}.crt" ]; then - mv "${key_dir}/${host_key_file}.key"{.new,} - mv "${key_dir}/${host_key_file}.crt"{.new,} + mv "${key_dir}/${ca_name}.key"{.new,} + mv "${key_dir}/${ca_name}.crt"{.new,} fi fi @@ -33,7 +38,7 @@ if [ ! -f "${key_dir}/${ca_name}.key.new" ] \ -addext 'authorityKeyIdentifier = keyid:always, issuer' \ -addext 'basicConstraints = critical, CA:true' \ -addext 'keyUsage = keyCertSign, cRLSign' -done +fi rsync --ignore-missing-args \ "${key_dir}/${ca_name}.crt"{.new,} \ @@ -41,13 +46,14 @@ rsync --ignore-missing-args \ ( cd "${key_dir}" - printf '%s %s\n' "$( - date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \ - | cut -d+ -f1 - )" "$( - sha512sum "${ca_name}.key" \ - | sed 's/\s\+/ /' - )" + find . -maxdepth 1 \ + -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \ + -printf '%TY-%Tm-%TdT%TT ' \ + -exec sha512sum {} \; \ + | sed ' + s/\.[0-9]\+ / / + s@\s\s\+\(\S\+/\)\?@ @ + ' ) \ | ssh "${remote_host}" ' cd "'"${remote_dir}"'" |